Microsoft Security Bulletin (MS00-100)
Patch Available for “Malformed Web Form Submission” Vulnerability
Originally posted: December 22, 2000
Microsoft has released a patch that eliminates a security vulnerability in a component that ships as part of Microsoft® Internet Information Server. The vulnerability could potentially allow an attacker to prevent an affected web server from providing useful service.
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-100.asp
The FrontPage Server Extensions (FPSE) ship with and are installed by default as part of IIS 4.0 and 5.0. The most familiar FPSE functions allow web site and content management; however, FPSE also provides browse-time support functions. Among the functions included in the latter category are ones that help process web forms that have been submitted by a user. A vulnerability exists in one of these functions. If a malicious user levied a specially-malformed form submission to an affected server, it would cause the IIS service to fail. The vulnerability does not provide the opportunity to misuse any of the FPSE administrative or content management functions.
To resume normal operation on an IIS 4.0 server, the operator would need to restart the service. In contrast, if an IIS 5.0 server were attacked via this vulnerability, the IIS service would, by default, automatically restart almost immediately. Although any web sessions that were in progress at the time of the attack would be lost, the server would be able to accept new connections as soon as the service was restarted. FPSE is installed by default as part of IIS 4.0 and 5.0, but, in keeping with best practices, Microsoft recommends that they be disabled if not needed.
Affected Software Versions
Microsoft IIS 4.0
Microsoft IIS 5.0
Microsoft IIS 5.0:
Microsoft IIS 4.0:
Note: The IIS 5.0 patch can be applied atop system running either Windows 2000 Gold or Service Pack 1. It will be included in Windows 2000 Service Pack 2.
Note: The IIS 4.0 patch can be applied atop system running Windows NT 4.0 Service Pack 6a or 5. It will be included in Windows NT 4.0 Service Pack 7.
Note: IIS users who have removed the FPSE are not affected by this vulnerability and do not need to take further action.
Note Additional security patches are available at the Microsoft Download Center
Please see the following references for more information related to this issue.
Frequently Asked Questions: Microsoft Security Bulletin MS00-100, http://www.microsoft.com/technet/security/bulletin/fq00-100.asp
Microsoft Knowledge Base article Q280322 discusses this issue and will be available soon.
Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.
Microsoft thanks eEye Digital Security (http://www.eEye.com) for reporting this issue to us and working with us to protect customers.
December 22, 2000: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.